Eleven percent of staff click on fake phishing mail

Published on 21 March 2019

Did you spot our fake phishing mail? At the start of March, over 3,000 staff members were sent an email asking them to log in with their ULCN account. About 11% fell for this phishing mail, which the Information Security Officers (ISO) from various departments had sent as a test.

The mail was part of a general security and privacy awareness campaign. It was also sent to identify which procedures should be followed in the event of a cyber attack. About 11% of the recipients clicked on the link in the mail, and about half of these actually logged in with their account.

Responses from the ISOs

‘Lots of people have said that the mail was very sophisticated,’ says Karel Roos, ISO at ICLON. ‘Despite this, one administrative assistant raised the alarm after only 27 minutes. She sent a mail to all of ICLON with the subject: Phishing mail. WATCH OUT!!!!!! The strange URL behind the link was what roused her suspicion. And she knew for sure when the helpdesk number in the mail turned out to be nonexistent.’

‘On Monday morning colleagues soon started asking whether the mail could be trusted,’ adds Johan Detollenaere. He is ISO at the Faculty of Science. ‘There was some discussion about the mail at various institutes, and towards the afternoon people had already suggested that it was a test. In short, many staff members are increasingly alert. What you notice is that the staff members who did click on the link or enter their details are mainly the ones that logged in later or don’t have an @leidenuniv.nl email address.’

Joint responsibility

Protecting privacy and sensitive data is all of our responsibility, and the University wants to help promote our digital safety. The results of this simulated phishing will be included in further privacy and security awareness campaigns and used to improve information security at the University.

How you could have spotted the phishing mail

• The mail about the ULCN account is unsolicited, the context is not very realistic and the layout differs from the standard ULCN mail layout (for an example see the bottom of this page).
• The sender is trying to pressurise you to log in by saying that otherwise your account will be blocked (3). The University would never do that.
• The sender has used the email address ulcn@leidenuniv.nl (1) instead of the standard noreply@leidenuniv.nl
• The University doesn’t have a separate ULCN Helpdesk; it only has the ISSC Helpdesk (4).
• The contact details of the sender (name (ISSC Helpdesk), telephone number) are incorrect. The phone number of the ISSC helpdesk is 8888 and not 8889 (4).
• The URL of the link is systemconcern (2) instead of the regular ULCN login page.